Update Ruby on Rails 6.0 related packages to 6.0.3.4.
This is security fix for ruby-actionpack60.
## Rails 6.0.3.4 (October 07, 2020) ##
* [CVE-2020-8264] Prevent XSS in Actionable Exceptions
Update Ruby on Rails to 6.0.3.2.
www/ruby-actionpack60 is the really updated package and other packages
have no change except version.
CHANGELOG of www/ruby-actionpack60 is here:
## Rails 6.0.3.2 (June 17, 2020) ##
* [CVE-2020-8185] Only allow ActionableErrors if
show_detailed_exceptions is enabled
ruby26-base and beyond don't need this patch anymore. They get the
configuration directory from Gem::ConfigFile::SYSTEM_CONFIG_PATH, which
is set to RbConfig::CONFIG["sysconfdir"], which in turn is set to
PKGSYSCONFDIR.
Update ruby24-base (and ruby24) to 2.4.10.
This release includes a security fix. Please check the topics below for
details.
* CVE-2020-16255: Unsafe Object Creation Vulnerability in JSON (Additional
fix)
Ruby 2.4 is now under the state of the security maintenance phase, until the
end of March of 2020. After that date, maintenance of Ruby 2.4 will be
ended. Thus, this release would be the last of Ruby 2.4 series. We
recommend you immediately upgrade Ruby to newer versions, such as 2.7 or 2.6
or 2.5.
Update ruby25-base (and ruby25) to 2.5.8.
2.5.8 (2020-03-31)
This release includes security fixes. Please check the topics below for
details.
* CVE-2020-16255: Unsafe Object Creation Vulnerability in JSON (Additional
fix)
* CVE-2020-10933: Heap exposure vulnerability in the socket library
Update ruby27-base (and ruby27) to 2.7.1.
2.7.1 (2020-03-31)
This release includes security fixes. Please check the topics below for
details.
* CVE-2020-16255: Unsafe Object Creation Vulnerability in JSON (Additional
fix)
* CVE-2020-10933: Heap exposure vulnerability in the socket library
Update ruby26-base (and ruby26 related packages) to 2.6.6.
2.6.6 (2020-03-31)
This release includes security fixes. Please check the topics below for
details.
* CVE-2020-16255: Unsafe Object Creation Vulnerability in JSON (Additional
fix)
* CVE-2020-10933: Heap exposure vulnerability in the socket library
pkglint -r --network --only "migrate"
As a side-effect of migrating the homepages, pkglint also fixed a few
indentations in unrelated lines. These and the new homepages have been
checked manually.
Change default vesion of Ruby from 2.4.x to 2.6.x.
* Ruby 2.7 will be released within this year.
* Ruby 2.6.x is stable enough and actively maintained.
* Ryby 2.5.x will be in security maintenance phase after
release of Ruby 2.7.
* Ruby 2.4.x will be EOL after 31th March 2020.
Replace RUBY_BUILD_RDOC and RUBY_BUILD_RI with RUBY_BUILD_DOCUMENT since
rdoc's --no-rdoc and --no-ri options are deprecated almost 8 years ago
and these options are replaced with -no-document option.
No package should be changed.
Update ruby26-base and ruby26 packges to 2.6.5
pkgsrc chagnes
* fix warnings of pkglint.
Quote from release announce:
Ruby 2.6.5 (2019-10-01)
This release includes security fixes. Please check the topics below for
details.
* CVE-2019-16255: A code injection vulnerability of Shell#[] and Shell#test
* CVE-2019-16254: HTTP response splitting in WEBrick (Additional fix)
* CVE-2019-15845: A NUL injection vulnerability of File.fnmatch and
File.fnmatch?
* CVE-2019-16201: Regular Expression Denial of Service vulnerability of
WEBrick's Digest access authentication
Update ruby25-base, ruby25 and ruby25-mode packges to 2.5.7.
pkgsrc chagnes
* fix warnings of pkglint.
Quote from release announce:
Ruby 2.5.7 (2019-10-01)
This release includes security fixes as listed below. Please check the
topics below for details.
* CVE-2019-16255: A code injection vulnerability of Shell#[] and Shell#test
* CVE-2019-16254: HTTP response splitting in WEBrick (Additional fix)
* CVE-2019-15845: A NUL injection vulnerability of File.fnmatch and
File.fnmatch?
* CVE-2019-16201: Regular Expression Denial of Service vulnerability of
WEBrick's Digest access authentication
Update ruby24-base and related packges to 2.4.9.
pkgsrc chagnes
* fix warnings of pkglint.
Quote from release announce:
Ruby 2.4.8 (2019-10-01)
This release includes security fixes. Please check the topics below for
details.
* CVE-2019-16255: A code injection vulnerability of Shell#[] and Shell#test
* CVE-2019-16254: HTTP response splitting in WEBrick (Additional fix)
* CVE-2019-15845: A NUL injection vulnerability of File.fnmatch and
File.fnmatch?
* CVE-2019-16201: Regular Expression Denial of Service vulnerability of
WEBrick¡Çs Digest access authentication
Ruby 2.4.9 (2019-10-02)
This release is a re-package of 2.4.8 because the previous Ruby 2.4.8
release tarball does not install. (See [Bug #16197] in detail.) There are no
essential change except their version numbers between 2.4.8 and 2.4.9.
Ruby 2.4 is now under the state of the security maintenance phase, until the
end of March of 2020. After that date, maintenance of Ruby 2.4 will be
ended. We recommend you start planning the migration to newer versions of
Ruby, such as 2.6 or 2.5.
Update lang/ruby26-base and lang/ruby26 to 2.6.4.
Ruby 2.6.4 (2019-08-28)
Ruby 2.6.4 has been released.
This release includes a security fix of rdoc. Please check the topics below
for details.
* Multiple jQuery vulnerabilities in RDoc
See the commit logs for changes in detail.
Update ruby25-base/ruby25 to 2.5.6.
Ruby 2.5.6 (2019-08-28)
Ruby 2.5.6 has been released.
This release includes about 40 bug fixes after the previous release, and also includes a security fix. Please check the topics below for details.
* Multiple jQuery vulnerabilities in RDoc
See the commit log for details.
2.4.7 (2019-08-28)
Ruby 2.4.7 has been released.
This release includes a security fix. Please check the topics below for
details.
* Multiple jQuery vulnerabilities in RDoc
Ruby 2.4 is now under the state of the security maintenance phase, until
the end of March of 2020. After that date, maintenance of Ruby 2.4 will be
ended. We recommend you start planning the migration to newer versions of
Ruby, such as 2.6 or 2.5.
Update ruby26{,-base} to 2.6.3. Here is release announce:
Ruby 2.6.3 Released
Posted by naruse on 17 Apr 2019
Ruby 2.6.3 has been released.
This release adds support for New Japanese Era “令和” (Reiwa). It updates
the Unicode version to 12.1 beta (#15195), and updates date library (#15742).
This release also includes some bug fixes. See details commit logs.
* vulnerabilities of rubygems are already fixed in 2.4.5nb1.
Ruby 2.4.6 Released 1 Apr 2019
Ruby 2.4.6 has been released.
This release includes about 20 bug fixes after the previous release, and also
includes several security fixes. Please check the topics below for details.
* Multiple vulnerabilities in RubyGems
See the commit log for details.
After this release, we will end the normal maintenance phase of Ruby 2.4, and
start the security maintenance phase of it. This means that after the release
of 2.4.6 we will never backport any bug fixes to 2.4 except security fixes.
The term of the security maintenance phase is scheduled for 1 year. By the
end of this term, official support of Ruby 2.4 will be over. Therefore, we
recommend that you start planning to upgrade to Ruby 2.6 or 2.5.
Update ruby26{,-base} to 2.6.2.
Quote from release announce.
Ruby 2.6.2 (2019-03-13)
This release includes bug fixes and a security update of the bundled
RubyGems.
See details in Multiple vulnerabilities in RubyGems and the commit logs.
Update ruby25{,-base} to 2.5.5.
Quote from release announce:
Ruby 2.5.4 (2019-03-13)
This release includes bug fixes and a security update of the bundled
RubyGems. See details in Multiple vulnerabilities in RubyGems and the commit
logs.
Ruby 2.5.5 (2019-03-15)
This release includes a bug fix for the deadlock in the
multi-thread+multi-process (using Process.fork) applications (ex: puma).
